HIPAA

Page Content

The HIPAA final rule includes changes designed to increase patient privacy and secure health information. The final rule became effective March 26, 2013, and had a compliance date of Sept. 23, 2013. Here’s a look at what’s different and how to address the changes in your practice.

Broader Definition, More Liability for BAs

Expanded Definition of BAs: Business associates (BAs) are organizations that create, receive, transmit or maintain protected health information (PHI). More organizations are considered BAs under the final rule. In addition, business associates’ subcontractors are now also considered BAs, so they need to agree to the same terms you’ve established with the BA.

Greater BA Liability: Business associates are now directly liable for uses and disclosures of PHI and must inform physician practices within 60 days of discovering a breach. BAs are required to implement safeguards, policies and procedures to protect PHI; they must also maintain documentation demonstrating compliance.

Action item: Conduct BA training. It’s a good idea to train business associates to make sure they have procedures in place to avoid a breach of protected health information. Note that your practice can be held liable for a breach caused by a BA or subcontractor acting as your agent.

Updates to the Notice of Privacy Practices

Action item: Update Notice of Privacy Practices. Physicians were required to update their Notice of Privacy Practices by Sept. 23, 2013. The revised notice must include the following:

Patients have the right to restrict disclosures of PHI to health plans if they pay for services out of pocket in full

The patient’s authorization is required for use and disclosure of PHI for marketing purposes

The patient’s authorization is required for use and disclosure of PHI that would constitute a sale of PHI

Patients have the right to opt out of fundraising communications

Other uses and disclosures of PHI not described in the notice will be made only with authorization from the patient

Patients have the right to be notified if they are affected by a breach of unsecured PHI

Posted in a prominent location in your practice like the patient waiting room

Posted on your website, if you have one

Given to new patients starting Sept. 23, 2013

Made available to existing patients on request

Patients May Request Records, Restrict PHI Disclosure

Patients may request EHR records: If you use electronic health records (EHRs) in your practice, patients must be able to obtain a copy of their medical records upon request. You can require that requests be made in writing, but fees cannot be greater than the practice’s labor costs in responding to the request. Requests must be completed within 30 days, with a one-time extension of up to 30 days.

Patients can restrict PHI disclosure. Patients have the right to restrict disclosures of PHI to their health plan if they pay out of pocket in full. Note that if state or other laws require providers to submit a claim and there’s no exception for those who pay out of pocket, you may disclose the PHI to the health plan.

Action item: Protect restricted PHI. Develop a system for “flagging” PHI that has been restricted by a patient to be sure it’s not inadvertently disclosed to a health plan.

Risk assessment process: Breach notification isn’t required if the physician or BA can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. If you determine the unauthorized disclosure wasn’t a breach, you should maintain documentation to support your stance. If you decide to notify patients about the disclosure, you’re not required to conduct the risk assessment.

Breach notification process: If a breach occurs, you must notify the Secretary of the Department of Health and Human Services (HHS) within 60 days of the end of the calendar year when the breach was found, if it affects fewer than 500 individuals. If the breach affects more than 500 patients, you must notify the HHS Secretary immediately.

Action item: Develop a plan ahead of time. Reduce the risk of a breach by determining who can and can’t access PHI. Set up a plan for conducting and documenting a risk assessment. Likewise, establish who is responsible for notifying the HSS Secretary in the event of a breach.

Increased Penalties for Noncompliance

Penalties for HIPAA violations can be anywhere from $100 to $50,000 per violation; the annual limit is $1.5 million. Some health care experts believe the federal government is moving toward enforcing noncompliance more rigorously than in the past, so it’s more important than ever to take proactive steps to make sure your practice is complying with HIPAA requirements.

‭(Hidden)‬ Sample Letter for Vendors

Dear Vendor (Clearinghouse, EHR system, Medicare, private payers):

My practice uses your (name of product) product/services, version (number). As HIPAA 5010 implementation approaches, we would like some information and clarification about your plans to upgrade your systems. Specifically, we would like to know your plans for updating software to comply with HIPAA transactions.

Can you provide a timetable for the following:

1) When will you be installing upgrades and will there be a charge for this data?

2) Will my practice need additional hardware or support services to install the upgrade(s)?

Thank you in advance for complying with and your prompt attention to this request.

Sincerely,

Contact Us

Share This

Your browser does not support this functionality.

AOA HIPAA Privacy Manual

​The AOA has published two comprehensive guides, available exclusively to our members, to help you stay compliant with the new HIPAA regulations that took effect Sept. 23. The guides focus on the HIPAA privacy and security rules and provide step-by-step instructions on how to bring your practice into compliance.

Download HIPAA Templates

State Health Privacy Laws

​In addition to the federal HIPAA requirements, several states have also implemented supplemental laws for health privacy that must be followed. To assist members in complying with these requirements, the AOA Division of State Government Affairs has compiled a database of state health privacy laws.

Before using this information, members should verify that the laws listed are current. If any laws have been revised or changed, please contact the AOA Division of State Government Affairs at ssa-dl@osteopathic.org.

AOA HIPAA Policy

​The AOA has an internal HIPAA privacy policy enabling us to work with members and insurers on coding, reimbursement or managed care problems without utilizing patient-specific, identifiable health information. For all inquiries from AOA members, we request the following:

Patient records must have all HIPAA-protected health information removed.

If the physician must identify the patient, the physician must assign a code number or name to the file.

If you send us patient-protected health information, we will immediately shred the information and notify you that material must be re-submitted without the patient information.

We suggest that each state association and specialty college examine their policies to determine what patient information they use to assist members, and adopt an internal HIPAA privacy policy to prevent violations of HIPAA.